Code Red floods helpdesks, not Internet

The widely publicized Code Red worm may not have caused a significant slowdown of the Internet, but it did flood technical support phone lines at antivirus companies, several European antivirus software vendors said Friday.

Many Internet users who were in fact immune to Code Red were scared by the alert that was sent out Sunday by a number of U.S. government and private organizations, the vendors said. The alert – headlined “A Very Real and Present Threat to the Internet: July 31 Deadline For Action” – predicted Code Red would cause sporadic but widespread outages of the Internet.

“Our tech support line received many calls from home users who are not affected but heard about Code Red and were very scared, hollow scares,” said Dennis Zenkin, spokesman for Moscow-based antivirus vendor Kaspersky Lab Ltd.

“We have been getting thousands and thousands of phone calls. It is a real shame, that imaginative alert from the FBI (the U.S Federal Bureau of Investigation). The title reads like a John Grisham novel,” seconded Graham Cluley, senior technical consultant at Abingdon, England-based Sophos PLC.

Helpdesk agents at F-Secure Corp., an Espoo, Finland-based antivirus vendor, also received a much higher than normal number of calls, said Mikko Hypponen, manager of antivirus research.

“Lots of people called and said they had disconnected their computer from the Internet and wanted to know when it would be safe to hook it back up. Many of these people were typical consumers running Windows 98. The only thing they could notice from Code Red is a slowdown of the Internet,” he said.

A Web site administrator at a relatively large Finnish company, who was called in to work at 3 A.M. to protect his servers, also called Hypponen for advice.

“The chief executive officer had seen something on CNN about Code Red and called the Web master. His systems were all Linux-based, so he really had nothing to worry about,” said Hypponen.

Code Red is a self-propagating worm that exploits a flaw in Internet Information Server (IIS), a part of Microsoft Corp.’s Windows 2000 and Windows NT server software. It scans the Internet for vulnerable systems and infects these systems by installing itself. A patch for the flaw has been available since mid-June.

All three European vendors blame the panic on the unprecedented joint alert and the often incomplete media attention it received. The alert was issued by, among others, the FBI’s National Infrastructure Protection Center, the Computer Emergency Response Team (CERT Coordination Center), the SANS Institute and Microsoft Corp.

“I am very skeptical about warnings that predict Internet meltdowns. They have done more harm than good. They needed to make clear that this didn’t affect home users. I think that many people that downloaded the patch are home users,” said Sophos’ Cluley.

“This issue is difficult to solve,” commented Hypponen, who said he approves of the way the alert was issued, but said he would have picked a different headline. “People that don’t have any understanding of the topic will freak out, no matter how detailed your announcement is.”

The vendors are afraid that, because the Internet did not go down, the alert will negatively reflect on the antivirus community.

“The average person on the street will forget that the announcement came from the FBI and Microsoft and see this as another example of the antivirus industry warning for something that turns out to be a nonevent,” said Cluley.

Hypponen agreed, but said it is clear that the antivirus industry wasn’t involved in the alerting for the virus.

“Typically it is the antivirus industry that is blamed for touting a virus to get more sales. The alert had an accurate view, although it was very Tom Clancy-like.”

F-Secure, in Espoo, Finland, can be reached at Kaspersky, in Moscow, is at Sophos in Abingdon, England, can be reached at